One year after WannaCry, the ransomware threat is not what it used to be
One year after WannaCry, the ransomware threat is not what it used to be

This time last year, organisations around the world were still reeling in the wake of WannaCry, one of the largest security incidents in history. The most notorious impact was dozens NHS trusts across the UK being crippled as staff were locked out of key systems, but Europol estimates that more than 200,000 devices spread across 150 countries were hit within the first couple of days. 

With many organisations still feeling the sting of the virus months after the outbreak, the incident was increasingly seen as the emergence of a new wave of devastating, global ransomware attacks that could cripple global economies.

Fast forward 12 months however, and it is increasingly apparent that the attacks of 2017 likely represented the peak of ransomware, not a new dawn. Ransomware certainly continues to persist as a threat, and new attacks have continued to make the headlines, with recent examples including an outbreak of WannaCry hitting operations at Boeing, and a major shutdown of public services in the city of Atlanta in March. 

Overall however, both the number of infections and the number of different families appear to have crested. In 2015, there were roughly 350 different ransomware families, but as of 2017, this had shrunk down to 170, a fall of roughly 50 percent – and this shrinkage is continuing into 2018.

Why have cyber-criminals moved on from ransomware? 

From a defender's perspective this development is positive since it means security teams and solutions are more familiar with how ransomware operates and are less likely to encounter new, unknown techniques. Previously, anyone in the business of creating malware seemed to jump on the bandwagon to create their own strain as it seemed like easy money. 

However, a groundswell response from the security community stemmed the flow of pay-outs. Ransomware that was either poorly coded or had a flaw in the encryption implementation was quickly defeated with free utilities designed to either stop infections outright or facilitate the recovery of locked files without paying the ransom. With ransomware increasingly easy to counter, the underground market shifted, and it lost its position as a top money maker. 

Similarly, the response from the security industry means that, aside from a few outlying cases making the headlines, we have seen a downwards trend in the number of infections. The global spread of WannaCry and NotPetya represented an anomalous spike in the middle of 2017, and overall infection rates have declined ever since. 

Alongside the availability of effective anti-ransomware solutions, WannaCry and NotPetya themselves actually helped to contribute to the decline of ransomware as a leading attack method. The unprecedented media coverage for the two incidents served as a powerful awareness campaign, spurring previously vulnerable organisations to acquire defensive solutions and implement better processes around patching and updating systems.  Further, there were many cases of systems remaining locked even when the ransom was paid, undermining the fundamental money-making aspect of ransomware. Victims will be far less likely to reach for their wallets if they are aware it may not actually achieve anything. 

The lingering threat

All of this is not to say that ransomware has disappeared as a risk. Rather, it has evolved into a new threat, which is both more focused and more capable. Malicious coders who kept working on ransomware as a monetised attack have refined their software, and some have even used mainstream software development approaches such as agile practices to rapidly improve their malware. 

Similarly, those attackers still using ransomware are doing so in a more targeted way. Rather than a generalised approach that attempts to lock away intellectual property, which can be easily backed up and recovered, there have been more attacks against targets such as municipal governments and industries. The severe disruption caused by an attack on the IT infrastructure of manufacturers, hospitals, utility providers and logistic companies better lends itself to extortion. 

While ransomware is here to stay, it has transitioned from a universal threat to one that is both more targeted and more manageable. The results are a mixed blessing for the security industry. While ransomware itself is now easier to guard against, its decline has opened a space for other attack methods that are harder to predict, from banking Trojans and rootkits to browser hijacks and password loggers. The remaining ransomware attackers are likely to be deployed in a more sophisticated way than WannaCry's uncontrolled blast, so the industry must continue to be vigilant against the threat.

Contributed by Ross Rustici, senior director, intelligence services at Cybereason

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.